[Virtual-pkg-base-maintainers] Bug#660514: LUKS encrypted system doesn't boot at all
Stefano
stefano13no at gmail.com
Sun Feb 19 16:45:15 UTC 2012
Package: base
Severity: important
Dear maintainers,
I tried without much success to create a base layout for an encrypted
installation manually (because the debian installer on the system I'm
currently working on crashes when partitioning hard drives).
The setup is a pretty simple LVM over LUKS over RAID setup (using GPT
partitions on a UEFI capable system - Z68 motherboard of ASUS).
I suspect the problem has to do with initramfs-tools but I'm not sure it is
the only culprit, since GRUB2 as well might be the cause.
Still it is pretty strange because at boot I get:
------------------------------
--------------------------------
Loading, please wait ...
mount: mounting none on /dev/pts failed: device or resource busy
IP-Config: eth0 hardware address .... mtu 1500 DHCP RARP
IP-Config: eth1 hardware address .... mtu 1500 DHCP RARP
Volume group "vg_system" not found
Skipping volume group vg_system
Unable to find LVM volume vg_system/root
Reading all physical volumes. This may take a while ...
No volume groups found
No volume groups found
cryptsetup: evms_activate is not available
IP-Config: no response after 2 secs - giving up
[lots of other IP-Config messages]
...
Check cryptopts=source= bootarg cat /proc/cmdline
or missing modules, devices: cat /proc/modules ls /dev
-r ALERT! /dev/md1 does not exist. Dropping to a shell !
--------------------------------------------------------------
The IP-Confi thing I suspect is due to dropbear (which I tried to install
to remotely unlock LUKS partitions at boot).
Still this is what I get locally, i.e. with a keyboard and monitor in front
of the machine.
I don't understand why but the order in which mdadm, lvm2 and cryptsetup /
device-mapper are runned in the initramfs is just wrong.
Do you have any ideas on where (which file) this could be fixed ? I tried
to follow the following tutorials:
http://www.debian-administration.org/articles/639 ,
http://ada.adrianlang.de/existing-debian-luks ,
http://www.howtoforge.com/software-raid1-grub-boot-debian-etch and none of
them reported doing something bizarre to any other file than /etc/fstab ,
/etc/mtab , /etc/crypttab and /etc/initramfs-tools/modules.
Actually I'm running on a USB pendrive doing a chroot of the machine.
Strangely though mdadm reports differents names between the "host" and the
chrooted environnement (for instance "host" reported /dev/md0 and /dev/md1,
whereas "chrooted" reported /dev/md/rescue:0 and /dev/md/rescue:1). Right
now both of them seem to report /dev/md/[0,1] so this seems to have been
fixed.
Anyway this is what I get from inside the chroot:
--------------------------------------------------------------
root at rescue:/# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# ROOT
UUID=490126db-90bd-4084-b41e-22533ce83045 / ext4
errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0
0 1
# TMP
UUID=436100b9-728a-4ba9-b584-8147c337a8e2 /tmp ext4
nodev,nosuid,noexec
0 1
# VAR
UUID=b6ee2184-98b3-4a37-bacb-c159df6106ab /var ext4
defaults
0 1
# USR
UUID=77d5de42-0bb1-4cd1-8f7d-8e68989eeb0f /usr ext4
nodev
0 1
# HOME
UUID=0e59d0d9-1c82-4f38-8bd9-e94e6e1bde6d /home ext4
nodev,nosuid
# SWAP
UUID=c282d304-9fb1-46e8-8ed5-58f19809afef none swap sw
0 0
# BOOT
UUID=559ce434-ce3c-48e8-b2d0-083d7e42891a /boot noauto 0
1
# CDROM
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
# DATA
#/dev/sdc1 /media/data ext4 users,auto,rw 0 0
root at rescue:/# cat /etc/mtab
/dev/md0 / ext4
rw,errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0
0 0
tmpfs /lib/init/rw tmpfs rw,nosuid,mode=0755 0 0
proc /proc proc rw,noexec,nosuid,nodev 0 0
sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0
udev /dev tmpfs rw,mode=0755 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=620 0 0
root at rescue:/# cat /etc/crypttab
# <target name> <source device> <key file> <options>
system /dev/md1 none luks
root at rescue:/# pvdisplay
--- Physical volume ---
PV Name /dev/dm-1
VG Name vg_system
PV Size 1.82 TiB / not usable 987.00 KiB
Allocatable yes
PE Size 4.00 MiB
Total PE 476803
Free PE 161411
Allocated PE 315392
PV UUID X9m3Dj-Kyb5-5owI-fVrD-k3DT-957S-VcPgKf
root at rescue:/# vgdisplay
--- Volume group ---
VG Name vg_system
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 9
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 6
Open LV 6
Max PV 0
Cur PV 1
Act PV 1
VG Size 1.82 TiB
PE Size 4.00 MiB
Total PE 476803
Alloc PE / Size 315392 / 1.20 TiB
Free PE / Size 161411 / 630.51 GiB
VG UUID oAEnia-PXBq-EKMi-QbWY-DQyt-fI14-N9OsHC
root at rescue:/# lvdisplay
--- Logical volume ---
LV Name /dev/vg_system/home
VG Name vg_system
LV UUID e3JIyi-ceMu-qA1y-fq25-6Ea8-MPjQ-FZNkws
LV Write Access read/write
LV Status available
# open 1
LV Size 400.00 GiB
Current LE 102400
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:2
--- Logical volume ---
LV Name /dev/vg_system/var
VG Name vg_system
LV UUID Y83rFx-qVj2-FpVc-huAQ-JeSl-0FGM-SIgimh
LV Write Access read/write
LV Status available
# open 1
LV Size 300.00 GiB
Current LE 76800
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:3
--- Logical volume ---
LV Name /dev/vg_system/usr
VG Name vg_system
LV UUID RahZdI-JKmm-lE1a-Pmr4-1Gc9-I3ud-dcsdJ2
LV Write Access read/write
LV Status available
# open 1
LV Size 150.00 GiB
Current LE 38400
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:4
--- Logical volume ---
LV Name /dev/vg_system/tmp
VG Name vg_system
LV UUID Xlj1up-veZC-iCP7-xuLL-FKC8-UW3v-1PEDNZ
LV Write Access read/write
LV Status available
# open 1
LV Size 50.00 GiB
Current LE 12800
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:5
--- Logical volume ---
LV Name /dev/vg_system/root
VG Name vg_system
LV UUID CF78gh-r4b2-xthO-2BZ5-hOag-mBuS-xJOW0B
LV Write Access read/write
LV Status available
# open 1
LV Size 300.00 GiB
Current LE 76800
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:6
--- Logical volume ---
LV Name /dev/vg_system/swap
VG Name vg_system
LV UUID Tfhl9U-Jzzt-x1pi-j23S-KCJm-AWmj-Mn7EKi
LV Write Access read/write
LV Status available
# open 2
LV Size 32.00 GiB
Current LE 8192
Segments 1
Allocation contiguous
Read ahead sectors auto
- currently set to 256
Block device 253:7
root at rescue:/# cat /etc/mdadm/mdadm.conf
# mdadm.conf
#
# Please refer to mdadm.conf(5) for information about this file.
#
# by default, scan all partitions (/proc/partitions) for MD superblocks.
# alternatively, specify devices to scan, using wildcards if desired.
DEVICE partitions
# auto-create devices with Debian standard permissions
CREATE owner=root group=disk mode=0660 auto=yes
# automatically tag new arrays as belonging to the local system
HOMEHOST <system>
# instruct the monitoring daemon where to send mail alerts
MAILADDR root
# Definitions of existing MD arrays
ARRAY /dev/md0 level=raid1 num-devices=2 metadata=1.2
UUID=b27b5968:42fcb85c:384731f3:798e2323 name=server:0
ARRAY /dev/md1 level=raid1 num-devices=2 metadata=1.2
UUID=afcdc11c:ceea622a:2874362f:65798dd7 name=server:1
root at rescue:/# cat /etc/initramfs-tools/modules
# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax: module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
# RAID
libata
ata_piix
md
raid1
# ENCRYPTION
dmcrypt
aes-i586
dm-crypt
dm-mod
aes_x86_64
aesni_intel
cryptd
aes_generic
# lvm
lvm2
root at rescue:/# cat /etc/modules
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
# Parameters can be specified after the module name.
loop
# Generated by sensors-detect on Fri Jun 3 12:18:28 2011
# Chip drivers
it87
# RAID modules
md
linear
multipath
raid1
# Enable AMD Cool & Quiet technology
processor
powernow-k8
# V4L2 (TV CARD & IR CONTROL)
dvb-core
saa7134
saa7134-alsa
saa7134-dvb
root at rescue:/# cat /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
load_env
fi
set default="0"
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
}
insmod raid
insmod mdraid
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(md/0)'
search --no-floppy --fs-uuid --set 559ce434-ce3c-48e8-b2d0-083d7e42891a
if loadfont /grub/unicode.pf2 ; then
set gfxmode=640x480
load_video
insmod gfxterm
fi
terminal_output gfxterm
insmod raid
insmod mdraid
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(md/0)'
search --no-floppy --fs-uuid --set 559ce434-ce3c-48e8-b2d0-083d7e42891a
set locale_dir=($root)/grub/locale
set lang=en
insmod gettext
set timeout=5
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Debian GNU/Linux, with Linux 2.6.32-5-amd64' --class debian
--class gnu-linux --class gnu --class os {
insmod gzio
insmod raid
insmod mdraid
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(md/0)'
search --no-floppy --fs-uuid --set
559ce434-ce3c-48e8-b2d0-083d7e42891a
echo 'Loading Linux 2.6.32-5-amd64 ...'
linux /vmlinuz-2.6.32-5-amd64 root=/dev/mapper/vg_system-root ro
quiet
echo 'Loading initial ramdisk ...'
initrd /initrd.img-2.6.32-5-amd64
}
menuentry 'Debian GNU/Linux, with Linux 2.6.32-5-amd64 (recovery mode)'
--class debian --class gnu-linux --class gnu --class os {
insmod gzio
insmod raid
insmod mdraid
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(md/0)'
search --no-floppy --fs-uuid --set
559ce434-ce3c-48e8-b2d0-083d7e42891a
echo 'Loading Linux 2.6.32-5-amd64 ...'
linux /vmlinuz-2.6.32-5-amd64 root=/dev/mapper/vg_system-root ro
single
echo 'Loading initial ramdisk ...'
initrd /initrd.img-2.6.32-5-amd64
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type
the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
root at rescue:/# mdadm --detail --scan
ARRAY /dev/md/0 metadata=1.2 name=rescue:0
UUID=b27b5968:42fcb85c:384731f3:798e2323
ARRAY /dev/md/1 metadata=1.2 name=rescue:1
UUID=afcdc11c:ceea622a:2874362f:65798dd7
root at rescue:/# cat /proc/mdstat
Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5]
[raid4] [raid10]
md1 : active raid1 sda3[0] sdb3[1]
1952988095 blocks super 1.2 [2/2] [UU]
md0 : active raid1 sda1[0] sdb1[1]
511988 blocks super 1.2 [2/2] [UU]
unused devices: <none>
---------------------------------------------------------------
Sorry for the long post. The strange thing about mdadm is that sometimes
the raid volumes are called md0 or md1 and other times md/0 or md/1.
***Kernel information is incorrect*** as this was done inside a chroot: the
correct kernel version is
root at rescue:/# aptitude show linux-image-2.6.32-5-amd64
Package: linux-image-2.6.32-5-amd64
State: installed
Automatically installed: yes
Version: 2.6.32-41
I do not know what I'm doing wrong. To sum it up the problems are:
1) mdadm doesn't seem to assemble the RAID devices in time at boot via
initramfs
2) cryptsetup doesn't seem able to access the /dev/md1 raid device on which
reside all lvm volumes (/dev/md0 is for boot)
3) after something like 2 minutes I'm dropped to an (initramfs) shell
No logs found inside /var/log/messages
I can get to the grub2 menu, click "Debian 2.6.32-5" but after that I
cannot continue boot.
Is there some "trick" to make mdadm, lvm2 and cryptsetup mount my
filesystems at bootup correctly ?
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the Virtual-pkg-base-maintainers
mailing list